Method for determining an encryption key associated with an integrated circuit

ABSTRACT

A method and an apparatus for determining an encryption key associated with an integrated circuit having a memory plane that includes a matrix of electric contacts on it&#39;s surface and a layer of inhomogeneous electric resistivity material disposed on the matrix. An encryption key is determined by the integrated circuit on the basis of the random distribution of the electrical resistances connecting the various electric contacts of the matrix.

FIELD OF THE INVENTION

The present invention concerns a method for determining an encryptionkey associated with an integrated circuit. It also concerns a renderedsecure integrated circuit implementing said method.

BACKGROUND OF THE INVENTION

The invention can be applied advantageously for rendering smart cardssecure, especially the smart cards used in encrypted television.

Generally speaking, smarts cards comprise a plastic card body and anelectronic module inserted in a cavity fitted in said card body. Theelectronic module is made up of an integrated circuit or chip placed ona support provided with metallic zones for ensuring the electric linkbetween the module and a card reader. The integrated circuit can be anEEPROM type memory for, for example, telecard applications or amicroprocessor for bank card, mobile `phone or even encrypted televisionapplications.

Thus, most of the smart cards are used to carry out electronictransactions, which naturally implies that there is an attempt todefraud those systems using smart cards so as to be able to benefit fromthe services provided by these systems without paying for said services.

So as to avoid or, at least, limit the fraud, the information exchangedwith the smart card electronic module are encrypted according to variouswell-documented methods. It merely suffices to be aware that themessages received by the integrated circuits of the cards are encryptedwith keys known an encrypting keys and are stored in the non-volatilememory of the circuits. These keys can be protected against any externalreading by masking the level of the memory plane in which they arerecorded by several levels of metal serving as a screen whilst takingpart in the dynamics of the circuit.

However, the degree of safety obtained is not absolute as it is alwayspossible for an experienced defrauder to gain access to the secret keysvia a functional analysis of the integrated circuit.

SUMMARY OF THE INVENTION

Also, the technical problem to be resolved by the object of the presentinvention concerns proposing a method for determining an encryption keyassociated with an integrated circuit having a memory plane, said methodmaking it possible to reach a level for a much higher protection of theencryption keys owing in particular to a static storage of the keysoutside the memory plane and therefore inaccessible by means of afunctional analysis of the circuit.

According to the present invention, the solution to the technicalproblem consists of said method comprising the following stages:

(a) producing a matrix of N electric contacts C_(i) (i=1) . . . , N) onthe surface of the memory plane,

(b) placing on said matrix a layer of a random inhomogeneous electricresistivity material,

(c) determining said encryption key, known as the resistive key Kr, onthe basis of the random distribution of the electric resistancesconnecting the various electric contacts C_(i) of the matrix.

Thus, the resistively random structure of said layer is used as agenerator of the encryption key Kr associated with the integratedcircuit. This key is therefore never stored in the memory plane of thecircuit and, because of this, is restored on each occasion theintegrated circuit is charged. Furthermore, it can be observed that thematerial layer forms a screen which protects the circuit againstfraudulent readings. If this layer is removed or altered, the key ismodified and the information shall stay encrypted permanently. It ispossible to read by a device external to the integrated circuit thevalues of the resistances taken into account by the method of theinvention so as to determine the encrypting key Kr.

One first improvement consists of providing the integrated circuit withan alarm mechanism. This makes it possible to detect attempts of fraudand take particular steps, such as the erasing of sensitive information.

According to the invention, to achieve this, the stage (c) furtherincludes the determination on initialization of the integrated circuitof another resistive key KA, known as an alarm key, which is entered ina non-volatile memory of said circuit, and said second resistive key KAis measured on each charging of the integrated circuit and compared withthe stored value of KA, the encryption key Kr being erased should anegative comparison occur. So as to provide operational reliability forthis embodiment, several improvements can be made to it:

The key KA is measured from uncorrelated resistances with those used todetermine the key Kr so that Kr can be deduced from KA.

The key KA is measured several times up to a maximum number,

on each measurement of KA, information is entered in the non-volatilememory of the integrated circuit, for example updating of the number oftests still authorized, if any.

Rather than store the entire key KA, it is possible to merely store acondensed version (CRC, hashing) and carry out a conformity test.

The resistive key Kr is not measured if the measured value of KA doesnot conform as required.

A second improvement of the method of the invention consists in that thestage (c) further includes the determination on initialization of theintegrated circuit of another resistive key KS, known as a stand-by key,which is entered in a non-volatile memory of said circuit, and in that akey KD is calculated from the resistive keys Kr and KS so that theencrypting key Kr can be calculated from the keys KS and KD, the key KDbeing entered in the non-volatile memory of the integrated circuit.

By way of example, said calculation means may be an `or exclusive` andin this case results in:

    KD=Kr+KS

and

    Kr=KD+KS

The integrated circuit can be provided with a mechanism making itpossible to check the value Kr. In particular, it is possible to use acheck-sum basis mechanism calculated by the integrated circuit andstored in its memory. It is essential that it is impossible to deducethe key Kr from this check-sum. It is therefore preferable that thelength of the check-sum is extremely short with respect to that of thekey Kr.

When starting the device, the chip concerned checks the key Kr. If theresult is unsatisfactory, it looks for the stand-by key KS and is thenable to re-establish Kr knowing KD. This constitutes a coveringmechanism should there be a measurement or drift error of Kr.

At the moment when it detects that Kr is erroneous, the integratedcircuit informs the outside world of this error. This allows forfunctioning in graceful degradation mode with KS whilst preparing forthe replacement of the integrated circuit. It is also possible totime-limit the degradation mode, the circuit itself being disabled aftera certain number of uses in degradation mode.

According to a particular embodiment of the invention, the integratedcircuit possesses certain of its own information CI defining a list ofresistances to be used for determining said resistive keys Kr, KA andKS. In this way, drive attack is also rendered inoperative as thedefrauder would not be able to deduce the resistive key Kr of the cardof the resistances.

According to one variant of this latter embodiment, the measuring meansonly measure the useful resistances whose list depends on theinformation CI.

According to another embodiment of the invention, the list ofresistances to be used is established by the integrated circuit at thetime of initialization according to the resistances measured. Said listis entered in a non-volatile memory of the circuit and completes theinformation CI or takes the place of it. Of course, after initializationof the integrated circuit, any entering of lists in said non-volatilememory is inhibited, for example by a physical or logic fuse.

According to a first application example, said list comprisesresistances with sufficiently remote values. This ensures that a minorchange of the resistance values does not modify the resistive key Kr.

According to a second application example, said list comprisesresistances with values of the same order of magnitude. This prevents adefrauder from measuring the resistances of the layer by surface probesand then be able to deduce from this the resistive key Kr.

Finally, said list also comprises resistances with values containedinside a given range so as to cumulate the two preceding examples.

So as to further improve the degree of safety offered by the method ofthe invention, following stage (B) is a stage consisting of placing ametallic screen on said material layer with random inhomogeneouselectric resistivity.

According to one particular mode for implementing the method of theinvention, said material with random inhomogeneous electric resistivityis embodied by mixing a low electric resistivity ink with a highelectric resistivity ink.

Finally, according to the present invention, an integrated circuitrendered secure having a memory plane is notable in that it comprises amatrix of N electric contacts Ci (i=1, . . . , N) on the surface of saidmemory plane, a layer of a random electric inhomogeneous resistivityplaced on said matrix and means for determining an encryption key Krknown as a resistive key on the basis of the random distribution of theelectric resistances connecting the various electric contacts Ci of thematrix.

BRIEF DESCRIPTION OF THE DRAWINGS

The following description, relating to the accompanying drawings givenby way of non-restrictive examples, show details to gain a fullerunderstanding of the invention and how it can be embodied:

FIG. 1 is a side view of an integrated circuit rendered secure byimplementing the method of the invention.

FIG. 2 is a top view of the integrated circuit of FIG. 1.

FIG. 3 is a diagram of the means for determining an encryption keyassociated with the integrated circuit of FIGS. 1 and 2.

FIG. 4 is an equivalent diagram of the determination means of FIG. 3.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

The integrated circuit 10 shown on FIGS. 1 and 2 has a memory plane 11,or active face, on which metallic input/output hubs 12 and 13 are formedand intended to be connected by conductive wires to the metallic areasof a support (not shown) which, along with the integrated circuit 10,constitutes the electronic module of a smart card.

As can be seen on FIGS. 1 and 2, a matrix of 9 electric contacts (i=1, .. . 9) has been embodied on the surface of the memory plane 11 of thecircuit 10. This matrix of electric contacts is covered by means ofscreen printing, for example, with a layer 14 of a random inhomogeneouselectric resistivity material 14, such as a mixture of a low electricresistivity ink and a high electric resistivity ink. The material layer14 may have a thickness of about a maximum of 10 μm.

As shown on FIGS. 1 and 2, the conventional paths between the variouselectric contacts Ci of the matrix may assume extremely varied shapesresulting from the random structure of the electric resistivity insidethe layer 14. It is this random distribution of the electric resistancesbetween the contacts Ci which constitutes the basis of the method fordetermining an encryption key Kr, known as a resistive key, associatedwith the integrated circuit 10, said key being, as it were, adigitalized expression of the distribution of the resistances, as shallbe explained later in more detail.

Note that, because the encryption key Kr of the circuit is finallycontained inside the material layer 14, it is advantageous to protectsaid layer by covering it with a metallic screen 15 which moreover cantake part in establishing the conventional paths indicated on FIG. 2.

In the same way as with the layer 14, the metallic screen 15 may have athickness of 10 μm (in this respect, the drawing of FIG. 2 has not beenshown to scale).

FIG. 3 shows a diagram of the means used to determine the encryption keyKr applied to the circuit structure of FIGS. 1 and 2.

These determination means comprise a bus including a line L₁ with afirst voltage V_(cc), a measuring line L₂ and a line L₃ with a secondvoltage V_(ss). Each line L₁, L₂, L₃ of the bus can be connected to anelectric contact of the matrix by means of three controllable analogswitches K₁, K₂ and K₃ respectively. In other words, each contact Ci canbe connected solely to one of the lines L₁, L₂, L₃ of the bus.

The integrated circuit 10 controls the analog switches K₁, K₂ and K₃ soas to define a set of M (1=1, . . . , M) triplets of electric contacts(Cj, Ci, Ck), the contacts Cj, Ci and Ck being respectively connected tothe lines L₁, L₂ and L₃ of the bus. Thus, the equivalent circuit of FIG.4 is obtained and in which Rij and Rik represent the electricresistances connecting the contact Ci to the contacts Cj and Ckrespectively. The choice of the contacts Cj, Ci, Ck is determined eitherfrom the information CI of the circuit 10, or from a list written in thenon-volatile memory of the circuit.

So as to be able to carry out a significant comparison of theresistances Rij and Rik, it is advantageous for each triplet (Cj, Ci,Ck)1 that the contacts Cj and Ck be equidistant from the contact Ci. Inthis case, the resistances Rij and Rik, although equivalent, aregenerally different owing to the fact of the random inhomogeneity of theelectric resistivity of the material layer 14. This difference is thenused to allocate to each triplet (Cj, Ci, Ck)1 a bit b1 conventionallydefined by:

b₁ =1 if Rij>Rik

b₁ =0 if Rij<Rik

Thus, one has a random set of M bits b₁ which, arranged according to anordered sequence, determine the encryption key Kr to be allocated to theintegrated circuit 10.

In practice, the voltage of the measuring line L2 is compared with(V_(cc) +V_(ss))/2, the sign of this comparison making it possible toestablish the logic information b₁. This relative resistance measuringtechnique has the advantage of being freed of temperature and voltagevariations.

It is also important to note that the additional measuring resistancesneed to be extremely small so as to avoid reducing the influence of thedispersion of the inhomogeneous resistances to be measured. In fact, themeasuring channels are themselves dispersions which, if they were tobecome too large, would render inadequate the influence and modificationof the material layer 14, which would open up the possibility of a fraudbeing committed.

In the example of the 3×3 matrix of FIGS. 1 and 2, the tripletssatisfying the equidistance condition are:

(C₁, C₂, C₃) 1 (C4, C5, C6)2, (C7, C8, C9)3

(C4, C1, C2)4, (C2, C3, C6)5, (C8,C9,C6)6, (C4, C7, C8)7

(C1, C4, C7)8, (C2, C5, C8)9, (C3, C6, C9)10

(C1, C5, C9)11, (C7, C5, C3)12

(C1, C7, C9)13, (C1, C3, C9)14

(C2, C7, C9)15, (C1, C8, C3)16

(C2, C4, C8)17 (C2, C6, C8)18

Thus, 18 bits b₁ are obtained each associated with one of the 18triplets and hence and 18 bit encryption key.

If required, the key Kr can be corrected by an error correction codestored in the memory on customization of the card. However this codedoes not make it possible to refind the key if there is no initial key.

The other resistive keys, namely the alarm key KA and the stand-by keyKS are determined in the same way, the choice of the contacts Cj, Ci, Ckbeing different.

What is claimed is:
 1. Method for determining an encryption keyassociated with an integrated circuit having a memory plane, whereinsaid method comprises the following stages:(a) embodying a matrix of Nelectric contacts C_(i) on the surface of the memory plane, (b) placingon said matrix a layer of a random inhomogeneous electric resistivitymaterial, (c) determining said encryption key, known as the resistivekey Kr, on the basis of the random distribution of the electricresistances connecting the various electric contacts C_(i) of thematrix.
 2. Method according to claim 1, wherein the stage (c) furtherincludes the determination on initialization of the integrated circuitof another resistive key KA, known as a stand-by key, which is writtenin a non-volatile memory of said circuit, and wherein said secondresistive stand-by key KA is measured on each switching on of theintegrated circuit and compared with the stored value of KA, theencryption key Kr being erased should a negative comparison occur. 3.Method according to claim 2, wherein the stage (c) further includes thedetermination on initialization of the integrated circuit of anotherresistive key KS, known as a stand-by key, which is written in anon-volatile memory of said circuit, and wherein a key KD is calculatedfrom the resistive keys Kr and KS so that the encryption key Kr can becalculated from the keys KS and KD, the key KD being written into thenon-volatile memory of the integrated circuit.
 4. Method according toclaim 1, wherein the integrated circuit possess its own information CIdefining the list of the resistances to be used to determine saidresistive keys.
 5. Method according to claim 1, wherein the list of theresistances to be used is established by the integrated circuit at thetime of initialization according to the measured resistances.
 6. Methodaccording to claim 5, wherein said list is written into a non-volatilememory of the integrated circuit.
 7. Method according to claim 6,wherein, after initialization of the integrated circuit, any entering oflists in said non-volatile memory is inhibited.
 8. Method according toclaim 5, wherein said list comprises resistances with valuessufficiently distant from one another.
 9. Method according to claim 5,wherein said list comprises resistances with values of the same order ofmagnitude.
 10. Method according to claim 5, wherein said list comprisesresistances with values contained within a given range.
 11. Methodaccording to claim 2, wherein the stage (c) for determining saidresistive keys, after having defined a set of M triplets of electriccontacts, consists of:allocating to each triplet a bit b₁ conventionallydefined by:b₁ =1 if Rij>Rik b₁ =0 if Rij<Rik Rij and Rik being theelectric resistances connecting the contact Ci to the contacts Cj and Ckrespectively; construct the resistive key in the form of an orderedsequence of M bits b₁.
 12. Method according to claim 11, wherein foreach triplet the contacts Cj and Ck are equidistant from the contact Ci.13. Method according to claim 1, wherein following stage (b) itcomprises a stage consisting of placing a metallic screen on saidmaterial random inhomogeneous electric resistivity layer.
 14. Methodaccording to claim 1, wherein said random inhomogeneous electricresistivity layer is embodied by mixing an ink with low electricresistivity with an ink with high electric resistivity.
 15. Secureintegrated circuit and having a memory plane, wherein it comprises amatrix of N electric contacts Ci on the surface of said memory plane, alayer of a random inhomogeneous electric resistivity material placed onsaid matrix, and means for determining an encryption key on the basis ofthe random distribution of the electric resistances connecting thevarious electric contacts Ci of the matrix.
 16. Secure integratedcircuit according to claim 15, wherein said determination means aresuitable for determining on initialization of said circuit an encryptionkey Kr known as a resistive key.
 17. Secure integrated circuit andhaving a memory plane, wherein it comprises a matrix of N electriccontacts Ci on the surface of said memory plane, a layer of a randominhomogeneous electric resistivity material placed on said matrix, andmeans for determining an encryption key on the basis of the randomdistribution of the electric resistances connecting the various electriccontacts Ci of the matrix,wherein said determination means are suitablefor determining on initialization of said circuit an encryption key Krknown as a resistive key, and wherein said determination means are alsosuitable for determining on initialization of said circuit anotherresistive key Ka known as an alarm key so as to implement the methodaccording to claim
 2. 18. Secure integrated circuit and having a memoryplane, wherein it comprises a matrix of N electric contacts Ci on thesurface of said memory plane, a layer of a random inhomogeneous electricresistivity material placed on said matrix, and means for determining anencryption key on the basis of the random distribution of the electricresistances connecting the various electric contacts Ci of thematrix,wherein said determination means are suitable for determining oninitialization of said circuit an encryption key Kr known as a resistivekey, and wherein said determination means are also able to determine oninitialization of the circuit another resistive key Ks known as astand-by key for implementing the method according to claim
 3. 19.Secure integrated circuit according to claim 15, wherein said means fordetermining said resistive keys, after having defined a set of Mtriplets of electric contacts, are able to:allocate to each triplet abit b₁ conventionally defined by:b₁ =1 if Rij>Rik b₁ =0 if Rij<Rik Rijand Rik being the electric resistances connecting the contact Ci to thecontacts Cj and Ck respectively, construct the resistive key in the formof an ordered sequence of M bits b₁.
 20. Secure integrated circuitaccording to claim 19, wherein for each triplet, the contacts Cj and Ckare equidistant from the contact Ci.
 21. Secure integrated circuitaccording to claim 19, wherein said means for determining the resistivekeys firstly comprise a bus including a line to with a first voltageVcc, a measuring line and a line with a third voltage Vss, and secondlythree controllable analog switches for connecting each contact Ci to oneof the lines.
 22. Secure integrated circuit according to claim 15,wherein said random inhomogeneous electric resistivity material layer iscovered with a metallic screen.
 23. Secure integrated circuit accordingto claim 15, wherein said random inhomogeneous electric resistivitymaterial is a mixture of an ink with high electric resistivity and anink with low electric resistivity.